Conditional Access Policies

Now that we have a Compliance Policy in place, it is time to create a Conditional Access Policy, which will vary depending if we are using Exchange Online or Exchange on-premises.

Conditional Access Policies for Exchange Online use the following logic to evaluate whether a device should be allowed or blocked from accessing Exchange Online:

Figure 1

Please note that if we have not deployed a compliance policy and then enable the Exchange Online policy, all targeted devices will be reported as compliant. Also, regardless of the compliance state, all users who are targeted by the policy will be required to enroll their devices with Intune.

Block email apps from accessing Exchange On-premises if the device is noncompliant or not enrolled to Microsoft Intune

When we select this option, devices that are not managed by Intune or are not compliant with a compliance policy that was deployed to them will be blocked from accessing Exchange unless they have been defined as exempt.

Targeted Groups

Select one or more Intune user groups. Members of this group must enroll their device with Intune to be able to access Exchange.

Exempted Groups

Select one or more Intune user groups that will be exempt from the conditional access policy.

These devices can be of any type, so device types that are unsupported by Intune can be configured here as well.

Default Rule

When a device not covered by any of the other rules is detected, we can choose to allow it to access Exchange, block it or quarantine it so we can decide later what to do.

The default rule will apply to all device types, so device types that are unsupported by Intune will be affected as well.

User Notification

Specify the text to include when Exchange sends an email to users whose devices have been quarantined or blocked. HTML tags can be used to format how the text will appear in the email message.

Exchange server wraps the custom user notification text with the following text:

Your phone won't be able to synchronize with the server via Exchange ActiveSync because of an access policy defined on the server.

Additionally, information about the blocked device will be listed in the email message.

Note that the notification is delivered to the user’s Exchange mailbox. However, it will not be delivered immediately to the device that is blocked. Other email clients that the user has access to via their web browser or on other devices they own will receive this notification.

Table 1

For Exchange on-premises:

After a user sets up an Exchange ActiveSync profile, it might take from 1 to 3 hours for the device to be blocked (if it is not managed by Intune);

If a blocked user then enrolls the device with Intune (or remediates noncompliance), email access will be unblocked within 2 minutes;

If the user un-enrolls from Intune it might take from 1 to 3 hours for the device to be blocked.

In order to view devices that do not conform to a compliance policy, follow these steps:

Open the Policy tab for any device that is compatible with compliance policies;

From the Filters drop-down list, select Does not conform to compliance policy.

To view devices that were blocked from accessing Exchange, on the Intune dashboard, a tile named Blocked Devices from Exchange shows the number of blocked devices and links to more information.

User Experience

At this stage we have Conditional Access configured. So it is time we now look at the user experience. Let us start with a Windows Phone device that already had a mail profile created (for an Exchange Online mailbox) before conditional access was put in place. The user has access to all the emails in his/hers mailbox until conditional access was configured. Once we enable Conditional Access, the user will receive a notification from Intune (top email):

Figure 6

If we open the email, it explains that to access Exchange the device has to be enrolled and it provides information on how to do it:

Figure 7

From here, the process is identical to what we have already seen.

Let us now look at a new email profile on an iOS device (iPad) for the same account above. After creating the new profile, we only get to see Intune’s notification and not any of the other emails that are already in the mailbox:

Figure 8

As before, the notification informs the user that the device needs to be enrolled and explains how to do it:

Figure 9

From here, the process is identical to what we have already seen:

Figure 10

Next, let us look at an Android device which, like the Windows Phone, already had a mail profile created before conditional access was enabled. The user has access to all the emails in his/hers mailbox until conditional access was configured. At that time, the user will receive a notification from Intune (top email):

Figure 11

As before, the notification informs the user that the device needs to be enrolled and explains how to do it:

Figure 12

As we haven’t looked at enrolling an Android device, let us do it from start to finish. By clicking on the link above we are taken to management portal website where we click on Get the app to download the Company Portal app:

Figure 13

We are taken to the Google Play store where we can download and install the app:

Figure 14

Once installed, click OPEN:

Figure 15

On the Company Portal app, the enrollment process begins. Click Next:

Figure 16

We then enter our credentials and click Sign in:

Figure 17

Once signed in, we are informed of what Intune will be able to perform on our device:

Figure 18

After clicking ACTIVATE, we need to install a digital certificate. Simply click OK to accept the default name:

Figure 19

The device is then enrolled:

Figure 20

Once enrolled, we have access to the Company Portal:

Figure 21

And we finally get access to our email:

Figure 22

Let us say that in the meantime the Compliance Policy gets updated and our device is no longer compliant. In this case, a stronger passcode is required, so we are informed of that:

Figure 23

Going to the Company Portal we can see that our device is no longer compliant:

Figure 24

And by clicking in VIEW we can see exactly why this is the case:

Figure 25

We can also check the same from other devices. For example, if we go back to the iPad we configured a minute ago for this account, go to Devices, we can see that the Android device is no longer compliant:

Figure 26

Once more, we can also see exactly what that is:

Figure 27

The same thing applies to the Intune console as well:

Figure 28

Here we can see that one device has one or more errors:

Figure 29

And we can easily get to the bottom of what the problem(s) is:

Figure 30

Figure 31

Figure 32

If, on the other hand, we look at the iPad, we can see that it is fully compliant:

Figure 33

We can also look into the Mobile Device Details of this user to see the status of any EAS devices the user has connected to Exchange. In this case, we see the three devices we have just configured are allowed to connect to Exchange as they are all enrolled and compliant:

Figure 34

One thing I noticed was that, for example, the iPad would force me to set a passcode (and would not let me do anything else before setting one). The Android would still let me access my corporate email even without a PIN... It certainly blocked my phone from accessing the email while it was not enrolled, but after enrolling I could access my email without setting a PIN - I would just get two constant reminders that my device is not compliant, but nothing enforced...

Conclusion

In this article we concluded exploring Intune’s Conditional Access feature. In the next and final part of this article series, we will look at Remote Wipe, Remote Lock and Passcode Reset.

If you would like to read the other parts in this article series please go to: